Google will pay a $170 million fine to settle allegations that its YouTube subsidiary illegally collected personal information about children without their parents' consent, according to the U.S. Federal Trade Commission.

But some children's right groups and members of Congress say the penalty is far too low.

U.S. Sen. Josh Hawler, R-Mo., who has been increasingly critical of large technology companies for profiting from users' data, ripped the agreement in a tweet, arguing that the FTC has not done enough to ensure privacy.

Every day I lose more confidence in the FTC. This paltry fine is an insult to every parent in America who has had their children's privacy violated. When big bureaucracy & Big Tech becomes allies, parents & families lose. Something has to change https://t.co/UJZuGEUUmN

Children's Privacy

On Wednesday, the FTC announced that it voted 3-2, with the three Republicans appointees voting for and the two Democrats voting against, to fine Google and its YouTube subsidiary. Google will pay $136 million to the FTC and $34 million to the New York Attorney General's Office, which also brought a complaint against YouTube in this case.

The case stems from allegations that YouTube violated the Children's Online Privacy Protection Act, a 1998 law that places parents in control over what information is collected from their young children online.

The FTC and the New York attorney general charged that YouTube used persistent identifiers or cookies to track children across the internet after they looked at various video channels created specifically for children, according to the complaint. Google and YouTube then made millions of dollars targeting ads to these children, the FTC says.

(Image: FTC)

Under the Children's Online Privacy Protection Act, companies need to get parents' permission to track children under the age of 13 with cookies and other identifiers, according to the complaint.

Wednesday's settlement is the largest fine the FTC has levied against a company for violating the Children's Online Privacy Protection Act, the commission announced.

"YouTube touted its popularity with children to prospective corporate clients," FTC Chairman Joe Simons says. "Yet when it came to complying with COPPA, the company refused to acknowledge that portions of its platform were clearly directed to kids. There's no excuse for YouTube's violations of the law."

As part of the agreement, YouTube must now require the owners of these child-oriented channels to properly identify content so that no targeted ads are used. The company must also get parent's permission before collecting and sharing children's data, according to the agreement.

"Starting in about four months, we will treat data from anyone watching children's content on YouTube as coming from a child, regardless of the age of the user," YouTube CEO Susan Wojcicki says in a blog post. "This means that we will limit data collection and use on videos made for kids only to what is needed to support the operation of the service. We will also stop serving personalized ads on this content entirely, and some features will no longer be available on this type of content, like comments and notifications."

FTC Commissioner Blasts Settlement

FTC Commissioner Rebecca Kelly Slaughter, a Democrat, said in a Wednesday statement that the agreement did not go far enough and left enough room for Google to continue to profit from targeting children with ads.

The $170m @YouTube@FTC settlement is impressive as far as it goes, but I am concerned that it does not go far enough to ensure that child-directed content on YT will be treated lawfully under COPPA, so I dissented: 1/11 https://t.co/PJPbXGWkgE

"Merely requiring Google to follow the law, that's a meaningless sanction," Jeffrey Chester, the executive director of the nonprofit Center for Digital Democracy, told the New York Times.

U.S. Sen. Ed Markey, D-Mass., argues that the FTC should have issued a "colossal" fine against Google that's more in line with the company's profits. In the second quarter of this year, Google's parent company Alphabet reported a profit of nearly $10 billion, according to the Associated Press.

"The FTC should have issued a colossal fine that fits Google's crime and demanded that Google make significant structural changes to their business practices for the sake of the millions of children who use Google every day," Markey said.

But Chris Pierson, CEO of concierge cybersecurity firm BlackCloak, argues that the penalty in this case is enough to bring awareness to the situation and prompt companies to be more transparent.

"Privacy and cybersecurity must be baked into products before they go to market and the awareness must be there of those consumer options," Pierson tells Information Security Media Group. "However, fines and other penalties must be rational to bring about awareness and change as opposed to crippling fines that limit progress."

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;